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Abstract — In this paper we review algorithms for checking 
diagnosability of discrete-event systems and timed automata. 
We point out that the diagnosability problems in both cases 
reduce to the emptiness problem for (timed) Biichi automata. 
Moreover, it is known that, checking whether a discrete-event 
system is diagnosable, can also be reduced to checking bounded 
diagnosability. We establish a similar result for timed automata. 
We also provide a synthesis of the complexity results for the 
different fault diagnosis problems. 

Note: This paper is an extended version of the paper pub- 
lished in the proceedings of CDC'09. 

I. Introduction 

Discrete-event systems [1], [2] (DES) can be modelled by 
finite automata over an alphabet of observable events S. To 
address decision problems under partial observation of DES, 
it is sufficient to add a special event t which represents all 
the unobservable actions. 

The Fault diagnosis problem is a typical example of 
a problem under partial observation. We assume that the 
behavior of the DES is known and a model of it is available 
as a finite automaton over an alphabet £ U {r, /}, where £ 
is the set of observable events, r represents the unobservable 
events, and / is a special unobservable event that corresponds 
to the faults: this is the original framework introduced by 
M. Sampath and al. [3] and the reader is referred to this 
paper for a clear and exhaustive introduction to the subjecfl 
The aim of fault diagnosis is to detect faulty sequences 
of the DES by observing only the events in £. A faulty 
sequence is a sequence of the DES containing an occurrence 
of event /. We assume that an observer which has to detect 
faults, knows the specification/model of the DES, and it is 
able to observe sequences of observable events. Based on 
this knowledge, it has to announce whether an observation 
(a word in £*) was produced by a faulty sequence (in 
(£U{t, /})*) or not. A diagnoser (for a DES) is an observer 
which observes the sequences of observable events and is 
able to detect whether a fault event occurred, although it is 
not observable. If a diagnoser can detect a fault at most A 
step^l after it occurred, the DES is said to be A-diagnosable. 
It is diagnosable if it is A-diagnosable for some A e N. 
Checking whether a DES is A-diagnosable for a given A is 
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called the bounded diagnosability problem; checking whether 
a DES is diagnosable is the diagnosability problem. 

Checking diagnosability for a given DES and a fixed 
set of observable events can be done in polynomial time 
using the algorithms of [5], [6]. Nevertheless the size of the 
diagnoser can be exponential as it involves a determiniza- 
tion step. The extension of this DES framework to timed 
automata [7] (TA) has been proposed by S. Tripakis [8], and 
he proved that the problem of checking diagnosability of a 
timed automaton is PSPACE-complete. In the timed case, the 
diagnoser may be a Turing machine. In a subsequent work 
by P. Bouyer and al. [9], the problem of checking whether 
a timed automaton is diagnosable by a diagnoser which is a 
deterministic timed automaton was studied (we will not refer 
to this work in this paper.) 

The algorithms proposed in the DES framework [5], [6] 
and in the timed automata framework [8] rely on different 
assumptions and use different techniques: for example [5], 
[6] assumes that the DES is live and contains no unobserv- 
able loops; the algorithm to check the diagnosability problem 
then consists in checking whether a cycle exists in a suitable 
product automaton; the algorithm of [8] for timed automata 
consists in checking whether a infinite word can be accepted 
by a (product) Biichi automaton: the main reason for the use 
of a Biichi acceptance condition in this case is to ensure time 
divergence. 

Our Contribution. In this paper, we try to put into perspec- 
tive the results of [5], [6], [8], [10] by giving a uniform 
presentation of the algorithms for fault diagnosis both in 
the DES and timed automata settings. We also establish a 
(not difficult but still) missing result for timed automata: 
diagnosability can be reduced to bounded diagnosability. 
Another contribution of this paper is to examine in details 
the complexity of the problems and this is summarized in 
Table U 

The results in this paper that are not new and have already 
been published are followed by the reference(s) in the core 
of the text of after the Theorem keyword. 

One such result is Theorem [3] which already appeared 
in [10]. It generalizes the previous results of [5], [6] and 
shows that fault diagnosis reduces to Biichi emptiness for 
DES. This has some interesting consequences regarding the 
algorithmic aspects of the problem as well as the tools that 
can be used to verify diagnosability. These considerations 
(Section UVb might be of interest for the DES community. 
Organisation of the Paper. Section HI] recalls the definitions 
of timed automata. Section [Till introduces the fault diagnosis 
problems we are interested in. Sections [IV] and |V] describes 
the algorithms to solve the diagnosability problems respec- 



tively for DES and TA. Section [VTI summarizes the results. 

II. Preliminaries 

S denotes a finite alphabet and S r = SU{r} where r G" £ 
is the unobservable action. B = {true, false} is the set of 
boolean values, N the set of natural numbers, Z the set of 
integers and Q the set of rational numbers. K is the set of 
real numbers and M>o is the non-negative real numbers. 

A. Clock Constraints 

Let X be a finite set of variables called clocks. A clock 
valuation is a mapping v : X — > R>o- We let M> be the set 
of clock valuations over X. We let Ox be the zero valuation 
where all the clocks in X are set to (we use when 
X is clear from the context). Given 5 G R, v + 6 denotes 
the valuation defined by (v + S)(x) = v(x) + S. We let 
C(X) be the set of convex constraints on X, i.e., the set of 
conjunctions of constraints of the form i M c with c € Z 
and oog {<, <, =, >, >}. Given a constraint g € C(X) and 
a valuation v, we write t> |= g if g is satisfied by v. Given 
R C X and a valuation t>, is the valuation defined by 
v[R](x) — v(x) if x G" R and u[i2](a;) = otherwise. 

B. Timed Words 

The set of finite (resp. infinite) words over X is E* (resp. 
S w ) and we let E°° = S* US". A language L is any subset 
of A finite (resp. infinite) timed word over X is a word 
in (M> .S)*.IR>o (resp. (M> .X) W ). We let Dur(w) be the 
duration of a timed word w which is defined to be the sum 
of the durations (in R>o) which appear in w; if this sum 
is infinite, the duration is oo. Note that the duration of an 
infinite word can be finite, and such words which contain 
an infinite number of letters, are called Zeno words. We let 
Unt(w) be the untimed version of w obtained by erasing all 
the durations in w, e.g., Unt(0A a 1.0 b 2.7 c) = abc. In this 
paper we write timed words as 0.4 a 1.0 b 2.7 c - • • where 
the real values are the durations elapsed between two letters: 
thus c occurs at global time 4.1. 

7W*(S) is the set of finite timed words over S, 7¥ U (S), 
the set of infinite timed words and 7W°°(S) = 7W*(X) U 
7W W (X). A timed language is any subset of 7W°°(S). 

Let 7T/s' be the projection of timed words of 7W°°(S) 
over timed words of 7W°°(S'). When projecting a timed 
word w on a sub-alphabet £' C £, the durations elap- 
sed between two events are set accordingly: for instance 
7r// OiC \(0.4 a 1.0 b 2.7 c) = 0.4 a 3.7 c (projection erases 
some letters but keep the time elapsed between two letters). 
Given a timed language L, we let Unt(L) = {Unt(w) \ w G 
L}. Given £' C E, tt /s ,(L) = {tt /s ,(w) \ w e L}. 

C. Timed Automata 

Timed automata (TA) are finite automata extended with 
real-valued clocks to specify timing constraints between 
occurrences of events. For a detailed presentation of the 
fundamental results for timed automata, the reader is referred 
to the seminal paper of R. Alur and D. Dill [7]. 

Definition 1 (Timed Automaton): A Timed Automaton A 
is a tuple (L, l , X,T, T , E,Inv, F, R) where: L is a finite 



set of locations; Iq is the initial location; X is a finite set 
of clocks; X is a finite set of actions; E C L x C(X) x 
E r x 2 X x L is a finite set of transitions; for (I, g, a, r, £') G 
E, g is the guard, a the action, and r the reset set; Inv G 
C(X) L associates with each location an invariant; as usual 
we require the invariants to be conjunctions of constraints of 
the form x < c with ^G {<, <}. F C L and R C L are 
respectively the final and repeated sets of locations. ■ 
An example of TA is given in Fig. [T] A state of A is a pair 
(£, v) G L x M>q. A ran g oi A from (£o, «o) i s a (finite or 
infinite) sequence of alternating delay and discrete moves: 

g = (£q,v ) (£o,v +5 ) 

s.t. for every i > 0: 

. «i + 5 |= /nv(^) for < 5 < Sf, 

• there is some transition (li, gi,ai, ri,£i + i) G E s.t. : (i) 
Vi + Si \= gi and (m) = (uj + <5i)[rj]. 
The set of finite (resp. infinite) runs from a state s is denoted 
Runs* (s, A) (resp. Runs ul (s, A)) and we define Runs* (A) = 
Runs*((l ,0),A) and Runs" (A) = Runs u {(l , 0), A). As 
before ^wni(A) = U Runs" (A). If p is finite 

and ends in s n , we let last(g) — s n . Because of the 
denseness of the time domain, the unfolding of A as a 
graph is infinite (uncountable number of states and delay 
edges). The trace, tr(g), of a run g is the timed word 
7r/xi(<5o£to<5iai • • • a n S n ■ ■ ■ ). We let Dur(g) — Dur(tr(g)). 
For V C Runs(A), we let Tr(V) = {tr(g) \ g G V}, which 
is the set of traces of the runs in V. 

A finite (resp. infinite) timed word w is accepted by A if it 
is the trace of a run of A that ends in an F-location (resp. a 
run that reaches infinitely often an i?-location). C* (A) (resp. 
£"(A)) is the set of traces of finite (resp. infinite) timed 
words accepted by A, and C{A) = C*(A) U C U {A) is the 
set of timed words accepted by A. In the sequel we often 
omit the sets R and F in TA and this implicitly means F = L 
and R = 0. 

A finite automaton (FA) is a particular TA with X = 0. 
Consequently guards and invariants are vacuously true and 
time elapsing transitions do not exist. We write A = (L, 
Iq, E t , E, F, R) for a FA. A run is thus a sequence of the 
form: 

g = £q — ► h > « n ■ • • 

where for each i > 0, a,i, (i+i) G E. Definitions of traces 
and languages are straightforward. In this case, the duration 
of a run g is the number of steps (including r-steps) of g: 
if g is finite and ends in i n , Dur(g) = n and otherwise 
Dur(g) = oo. 

D. Region Graph of a TA 

The region graph RG(A) of a TA A is a finite quotient 
of the infinite graph of A which is time-abstract bisimilar 
to A [7]. It is a FA on the alphabet E' = E U {r}. The 
states of RG(A) are pairs (£, r) where £ G L is a location 



of A and r is a region of M> . More generally, the edges of 
the graph are tuples (s,t, s') where s, s' are states of RG(A) 
and t G E 1 . Genuine unobservable moves of A labelled r are 
labelled by tuples of the form (s, (g, r, r), s') in RG(A). An 
edge (5, A, R) in the region graph corresponds to a discrete 
transition of A with guard g, action A and reset set R. At 
move in RG(A) stands for a delay move to the time-successor 
region. The initial state of RG(A) is (Iq,0). A final (resp. 
repeated) state of RG(A) is a state (£, r) with £ G F (resp. 
£ <E R). A fundamental property of the region graph [7] is: 

Theorem 1 ([7]): C(RG(A)) = Unt(C(A)). 
In other words: 

1) if w is accepted by RG(A), then there is a timed word 
v with Unt{v) = w s.t. v is accepted by A. 

2) if v is accepted by A, then Unt(w) is accepted /?G(A). 
The (maximum) size of the region graph is exponential in 
the number of clocks and in the maximum constant of the 
automaton A (see [7]): \RG(A)\ = \L\ ■ \X\\ ■ 2^ ■ K W 
where K is the largest constant used in A. 

E. Product of TA 

Definition 2 (Product of TA): Let A4 — (Li,ll,Xi,Y. l T , 
Ei,Invi), i G {1, 2}, be TA s.t. Xi D X 2 = 0. The product 
of Ai and A 2 is the TA A\ x A 2 = (L,l , X,H T , E,Inv) 
given by: L = L x X L 2 ; Z = (io^o)'. E = E 1 U E 2 ; 
X = X a U X 2 ; and J5 C L x C(X) xS r x2 x xL and 
((£i,£ 2 ),gi, 2 ,cr,r,(£[,£' 2 ))eEif: 

. either cr G (Si n E 2 ) \ {r}, and (£) (£k,9k,o;r k ,£' k ) G 
Bfe for fc = 1 and k = 2; (ii) gi i2 — gi /\ g 2 and (m) 
r = ri U r 2 ; 

. or for fc = 1 or k = 2, a G (Ej. \ E 3 _ fc ) U {r}, and (i) 
(£ k ,g k ,a,r k ,£' k ) G £ fe ; (u) gi, 2 = 3fc and (m) r = r fc ; 
and finally Inv(£i,£ 2 ) = lnv(£\) A Inv(£ 2 ). ■ 
The definition of product also applies to finite automata. 

III. Fault Diagnosis Problems 

The material in this section is based on [6], [8], [10]. To 
model timed systems with faults, we use timed automata 
on the alphabet E r j = E r U {/} where / is the faulty 
(unobservable) event. We only consider one type of fault 
here, but the results we give are valid for many types of faults 
Jii ' ' ' j In}'- indeed solving the many types diagnosabil- 
ity problem amounts to solving n one type diagnosability 
problems [6]. Other unobservable events are abstracted as a 
t action (one r suffices as these events are all unobservable). 

The system we want to supervise is given as a TA A = 
(L, Iq,X, E Tj /, E,Inv). Fig. Q] gives an example of such a 
system (a G N is a parameter). Invariants in the automaton 
A{a) are written within square brackets as in [x < 3]. 
Let A G N. A run of A 

Q = (£o,Vo) (£o,Vo + S ) (£i,v{)--- 

■ ■ ■ °"~ 1 > (£n, V n ) ^> (4,"n +<*)••• 

is A-faulty if: (1) there is an index i s.t. a* = / and (2) 
the duration of the run g' — (£i,Vi) • • • -^4 (£ n ,v n + 
S n ) ■ ■ ■ is larger than A. We let Faulty >A (A) be the set 




[x < 3] 



Figure 1. The Timed Automaton A(a) 

of A-faulty runs of A. Note that by definition, if A' > A 
then Faulty >A , (A) C Faulty >A (A). We let Faulty(A) = 
^A>oFaulty >A (A) = Faulty >0 (A) be the set of faulty runs 
of A, and NonFaulty(A) = Runs(A) \ Faulty(A) be the set 
of non-faulty runs of A. Finally 

Faulty% A (A) = Tr{Faulty> A (A)) 

and 

NonFaulty' r (A) = Tr(NonFaulty(A)) 

which are the traces^ of A-faulty and non-faulty runs of A. 

The purpose of fault diagnosis is to detect a fault as soon 
as possible. Faults are unobservable and only the events in 
E can be observed as well as the time elapsed between these 
events. Whenever the system generates a timed word w, the 
observer can only see tv/^(w). If an observer can detect 
faults in this way it is called a diagnoser. A diagnoser must 
detect a fault within a given delay A G N. 

Definition 3 (A-Diagnoser): Let A be a TA over the 
alphabet E T j and A G N. A A-diagnoser for A is a mapping 
D : 7W*(E) ->■ {0, 1} such that: 

« for each q G NonFaulty(A), D(tr(g)) = 0, 

« for each g G Faulty >A (A), D(tr(g)) = 1. ■ 
A is A-diagnosable if there exists a A-diagnoser for A. A is 
diagnosable if there is some A G N s.t. A est A-diagnosable. 

Remark 1: Nothing is required for the A'-faulty words 
with A' < A. Thus a diagnoser could change its mind and 
answers 1 for a A'-faulty word, and for a A"-faulty word 
with A' < A" < A. 

Example 1: The TA A(3) in Fig. Q] taken from [8] is 
3-diagnosable. For the timed words of the form t.a.S.b.t' 
with 5 < 3, no fault has occurred, whereas when 5 > 3 
a fault must have occurred. A diagnoser can then be easily 
constructed. As we have to wait for a "6" action to detect a 
fault, D cannot detect a fault in 2 time units. If a = 2, in 
.4.(2) there are two runs: 

Pl (S) = (l 0> 0)-2>(Ji > 0)-^(Ji,2.5)4(J 2) 2.5) 
^ (l 2 , 2.7) ^(l 3 , 2.7) 4(Z 2 ,2.7 + 5) 

P2(S) = (Z ,0) A (h,0) ^(h,2.5) ^(l 4 , 2.5) 
^(h, 2.7) 05,2.7)4^, 2.7 + 5) 

3 Notice that tr(g) erases r and /. 



that satisfy tr(pi(S)) = tr(p 2 (6)), and this for every 6 > 0. 
For each A G N, there are two runs pi(A) and /52(A) which 
produce the same observations and thus no diagnoser can 
exist. A(2) is not diagnosable. 

The classical fault diagnosis problems are the following: 

Problem 1 (Bounded or A-Diagnosability): 
Inputs: A TA A = (L,£ ,X,Y> Tjl E,Inv) and A G N. 
Problem: Is A A-diagnosable? 

Problem 2 (Diagnosability): 
Inputs: ATA A — (L, £ , X, E Ti/ , E, Inv). 
Problem: Is A diagnosable? 

Problem 3 (Maximum delay): 
Inputs: ATAi = (L, £ , X, E T> /, E, Inv). 
Problem: If A is diagnosable, what is the minimum A 
s.t. A is A-diagnosable ? 

We do not address here the problem of synthesizing a 
diagnoser and the reader is referred to [6], [5], [8], [9] for a 
detailed presentation. 

A necessary and sufficient condition for diagnosability was 
already established in [3], but was stated on a candidate 
diagnoser. We give here a simple language based condition, 
valid in both the discrete and timed cases. According to 
Definition [3] A is diagnosable, iff, there is some A G N 
s.t. A is A-diagnosable. Thus: 

A is not diagnosable <^=>VA G N, A is not A-diagnosable. 

Moreover a trace based definition of A-diagnosability can 
be stated as: A is A-diagnosable iff 

Faulty > A (A) n NonFaulty" \A) = 0. (1) 

This gives a necessary and sufficient condition for non- 
diagnosability and thus diagnosability: 

{VA g N, 
Bp G NonFaulty (A) 
K y ' (2) 

Bp' G Faulty >A (A) s.t. 
Hp) = Hp'), 

or in other words, there is no pair of runs (pi, p 2 ) with pi G 
Faulty >A (A), p 2 G NonFaulty(A) the traces of which are 
equal. 

IV. Algorithms for Discrete Event Systems 

In this section we briefly review the main results about 
diagnosability of discrete-event systems. We consider here 
that the DES is given by a FA A — (Q, q Q , E T> /, — >). 

Moreover we assume that the automaton A is such that 
every faulty run of length n can be extended to a run of 
length n+1; this assumption simplifies the proofs (of some 
lemmas in [10]) and if A does not satisfy it, it is easy to add 
r loops to deadlock states of A to ensure it holds. It does 
not modify the observation made by the external observer 
and thus does not modify the diagnosability status of A. 



A. Problem\l] 

To check Problem Q] we have to decide whether there is a 
(A + l)-faulty run p\ and a non-faulty run p 2 that give the 
same observations when projected on E. An easy way to do 
this is to build a finite automaton B which accepts exactly 
those runs, and check whether C(B) is empty or not. 

Let At = (Qx {-1, 0, • • • , A + 1}, (q , -1), E T , -tj) be 
the automaton with — !>i defined by: 

> (q,n) —^1 (q',n) if q -^H> q' and n — — 1 and A G 
SU{r}, 

> (q,n) >i (q',min(n + 1, A + 1)) if q > q 1 and 

n > and A G E U {r}; 

• (q, n) -Z— K (q' , min(n + 1, A + 1) if g » q' . 

Let A 2 = (Q, g , E T) -> 2 ) with: q — — >- 2 q' if q — — » q' and 
A G E U {t}. Define B = A x X A 2 with the final states F B 
of B given by: F B = {((£, A + l),t) \ (l,f) G Q x Q}. 
We let = 0. It is straightforward to see that: 

Theorem 2: A is A-diagnosable iff C*(B) = 0. 

As language emptiness for B amounts to reachability 
checking, it can be done in linear time in the size of B. Still 
strictly speaking, the automaton B has size (A + 1) • \A\ 2 
which is exponential in the size of the inputs of the problem 
A and A because A is given in binary. Thus Problem Q] 
can be solved in EXPTIME. As storing A requires only 
polynomial space Problem Q] is in PSPACE. Actually check- 
ing Problem Q] can be done in PTIME (see the end of this 
section). 

B. Problem^ 

To check whether A is diagnosable, we build a synchro- 
nized product A\ x A 2 , s.t. A\ behaves exactly as A but 
records in its state whether a fault has occurred, and A 2 
behaves like A without the faulty runs as before. It is then 
as if A = in the previous construction. We let — >\, 2 be the 
transition relation of A\ x A 2 . A faulty run of A\ x A 2 is 
a run for which A\ reaches a faulty state of the form (q, 1). 
To decide whether A is diagnosable we build an extended 
version of A\ x A 2 which is a Biichi automaton B as follows: 
B has a boolean variable z which records whether A\ 
participated in the last transition fired by Ai x A 2 . Assume 
we have a predicat^ AiMoveft) which is true when A\ 
participates in a transition t of the product A\xA 2 . A state of 
B is a pair (s, z) where s is a state of A\ x A 2 . B is given by 
the tuple ((Q x {0, 1} x Q) x {0, 1}, ((q Q , 0), q , 0), E T , >b 
, 0, R B ) with: 

• (s, z) ( s \ z ') if (*) there exists a transition t : 
s -^-h.,2 s' in A 1 x A 2 , and (ii) z' = 1 if A x Move(i) 
and z' = otherwise; 

• Rb = {(((9,1), 9'), 1)1 ((9, 1), q') G A x x A 2 }. 

B accepts the language C(B) = ^{B) C E w . Moreover this 
language satisfies a nice property: 

Theorem 3 ([10]): A is diagnosable iff C U (B) = 0. 

This theorem has for consequence that the diagnosability 
problem can be checked in quadratic time: the automaton 

4 This is easy to define when building A\ X A^. 



B has size 4 • \A\ 2 i.e., (9(|A| 2 ) and checking emptiness 
for Biichi automaton can be done in linear time. Thus 
diagnosability can be checked in PTIME. Polynomial algo- 
rithms for checking diagnosability (Problem [2]) were already 
reported in [5], [6]. In these two papers, the plant cannot 
have unobservable loops i.e., loops that consist of r actions. 
Our algorithm does not have this limitation (we even may 
have to add r loops to ensure that each faulty run can be 
extended). Note also that in [5], [6], the product construction 
is symmetric in the sense that A 2 is a copy of A as well. 
Our A 2 does not contain the / transitions, which is a minor 
difference complexity-wise, but in practice this can be useful 
to reduce the size of the product. 

Moreover, reducing Problem [2] to emptiness checking of 
Biichi automata is interesting in many respects: 

« the proof (see [10]) of Theorem [3] is easy and short; 
algorithms for checking Biichi emptiness are well- 
known and correctness follows easily as well; 

« this also implies that standard tools from the model- 
checking/verification community can be used to check 
for diagnosability. There are very efficient tools to 
check for Biichi emptiness (e.g., Spin [11]). Numerous 
algorithms, like on-the-fly algorithms [12] have been de- 
signed to improve memory /time consumption (see [13] 
for an overview). Also when the DES is not diagnosable 
a counter-example is provided by these tools. The 
input languages (like Promela for Spin) that can be 
used to specify the DES are more expressive than the 
specification languages of some dedicated tools^l like 
DESUMA/UMDES [14] (notice that the comparison 
with DESUMA/UMDES concerns only the diagnosabil- 
ity algorithms; DESUMA/UMDES can perform a lot 
more than checking diagnosability). 

From Theorem [3] one can also conclude that diagnos- 
ability amounts to bounded diagnosability: indeed if A is 
diagnosable, there can be no accepting cycles of faulty states 
in £>; in this case there cannot be a faulty run of length more 
than 2 • \Q\ 2 in B. Thus Problem |2] reduces to a particular 
instance of Problem Q] which was already stated in [6]: 

Theorem 4 ([6]): A is diagnosable if and only if A is (2 • 
Q| 2 )-diagnosable. 

This appeals from some final remarks on the algorithms we 
should choose to check diagnosability: for the particular case 
of A = 2 • \A\ 2 , solving Problem Q] (a reachability problem) 
can be done in time 2-|A| 2 -|A| 2 i.e., 0(|A| 4 ) whereas solving 
directly Problem [2] as a Biichi emptiness problem can be 
done in 0( | A| 2 ). Thus the extra-cost of using a reachability 
algorithm is still reasonable. 

The Biichi-emptiness algorithm used to solve Problem [2] 
can also be used to solve Problem Q] for a given A and 
automaton A with set of states Q: if A > 2 • \Q\ 2 , then we 
check wether A is diagnosable and this gives the answer to 
Problem [T] otherwise, if A < 2 • \Q\ 2 , we check wether A 
is A-diagnosable but in polynomial time. Hence Problem Q] 

5 UMDES was the only publicly available tool which could be found by 
a Google search. 



can be solved in polynomial time 0(|A| 4 ). 

Finally, solving Problem [3] can be done by a binary search 
solving iteratively A-diagnosability problems starting with 
A = 2 • \A\ 2 . Thus Problem [3] can be solved in 0{\A\ 4 ). 
Using a different approach, Problem [3] was reported to be 
solvable in 0(|Q| 3 ) in [15]. 

In the sequel we recall the algorithm for checking diag- 
nosability for TA and establish a counterpart of Theorem |4] 
for TA. 

V. Algorithms for Timed Automata 

We first recall how to check A-diagnosability for TA 
which first appeared in [8]. 

A. Problem^ 

Let f be a fresh clock not in X. Let A\(A) = ((L x 
{0, 1}) U {Bad}, (l , 0), X U {*}, S T , E 1 ,Inv 1 ) with: 

. ((e,n),g,X,r,(£',n)) G E x if (e,g,X,r,£') G E, A G 
SU{r}; 

. ((£,0),g,T,rU{t},(£',l))eEx if (£,g,f,r,t?)€E; 

. Invi((l,n)) = lnv{£); 

. for I G L, ((£, 1), t > A, r, 0, Bad) G Ex 
and A 2 = (L, in, X 2 , E T , E 2 , Inv 2 ) with: 

* X 2 = {x 2 | x G X} (clocks of A are renamed); 

. (£, g 2 , A, r 2 ,£') G E 2 if (£, g, A, r,£') G E, A G E U {r} 
with: g 2 is g where the clocks x in X are replaced by 
their counterpart x 2 ; r 2 is r with the same renaming; 

. Inv 2 {£) = Inv{£). 

Consider At (A) x A 2 . A faulty state of A (A) x A 2 is 
a state of the form (((£, l),v), (£',v')) i.e., where the state 
of Ax is faulty. Let Runs>A(Ax(A) x A 2 ) be the runs of 
Ax(A) x A 2 s.t. a faulty state of A\ is encountered and 
s.t. at least A time units have elapsed after this state. If 
this set is not empty, there are two runs, one A-faulty and 
one non-faulty which give the same observation. Moreover, 
because t is reset exactly when the first fault occurs, we have 
t > A. Conversely, if a state of the form {{{£, 1), v), (£', v')) 
with v(t) > A is reachable, then there are two runs, one A- 
faulty and one non-faulty which give the same observation. 
Location Bad in Ax is thus reachable exactly if A is not 
A-diagnosable. Let V be Ax(A) x A 2 with the final set of 
locations F-p = {Bad} and R-p = 0. 

Theorem 5 ([8]): A is A-diagnosable iff £*{T>) = 0. 
Checking reachability of a location for TA is PSPACE- 
complete [7]. More precisely, it can be done in linear time 
on the region graph. The size of the region graph of T> is 
(2 • \L\ 2 + \L\) ■ (2|X| + 1)! • 2 2 l x l +1 • X 2 I A 'I • A where K 
is the maximal constant appearing in A. Hence: 

Corollary 1: Problem[T]can be solved in PSPACE for TA. 

B. Problem^ 

As for the untimed case, we build an automaton V, which 
is special version of Ax(A) x A 2 . Assume Ax is defined 
as before omitting the clock t and the location Bad. In the 
timed case, we have to take care of the following real-time 
related problems [8]: 



• some runs of A2 might prevent time from elapsing from 
a given point in time. In this case, equation (fl} cannot 
be satisfied but this is for an artificial reason: for A 
large enough, there will be no A faulty run in A-y x A2 
because A2 will block the time. In this case we can 
claim that A is diagnosable but it is not realistic; 

• a more tricky thing may happen: A\ could produce a 
Zeno ruij| after a fault occurred. This could happen by 
firing infinitely many t transitions in a bounded amount 
of time. If we declare that A is not diagnosable but 
the only witness run is a Zeno run, it does not have 
any physical meaning. Thus to declare that A is not 
diagnosable, we should find a non-Zeno witness which 
is realizable, and for which time diverges. 

To cope with the previous dense-time related problems we 
have to ensure that the two following conditions are met: 
C\. A2 is timelock-free i.e., A2 cannot prevent time 
from elapsing; this implies that every finite non- 
faulty run of A2 can be extended in a time divergent 
run. We can assume that A2 satisfies this property 
or check it on A2 before checking diagnosability; 
C2: for A to be non-diagnosable, we must find an 
infinite run in A\ x A2 for which time diverges. 
C2 can be enforced by adding a third timed automaton 
Div(x) and synchronizing it with A\ x ^2- Let a; be a fresh 
clock not in X. Let Div(x) = ({0, 1}, 0, {x}, E,Inv) be 
the TA given in Fig. [2] If we use F — and R = {1} 

x = 1; t; x := 

[x < 1] x = 1;t;x :=Q I x ^ x l 

Figure 2. Timed Automaton Div(x) 

for Div(x), any accepted run is time divergent. Let V — 
(Ai x A 2 ) x Div(x) with F-p — and R-p is the set of 
states where A\ is in a faulty state and Div(x) is location 1. 
The following theorem is the TA counterpart of Theorem [3] 

Theorem 6 ([8]): A is diagnosable iff C"{V) = 0. 
Deciding whether £ U (A) ^ for TA is PSPACE- 
complete [7]. Thus deciding diagnosability is in PSPACE. 

The reachability problem for TA can be reduced to a 
diagnosability problem [8]. Let A be a TA on alphabet 
£ and End a particular location of A. We want to check 
whether End is reachable in A. It suffices to build A 1 on 
the alphabet S T j by adding to A the following transitions: 
(End, TRUE, A, 0,End) for A e {r, /}. Then: A' is not 
diagnosable iff End is reachable in A. It follows that: 

Theorem 7 ([8]): Problem|2]is PSPACE-complete forTA. 
We can draw another conclusion from the previous theorem: 
if a TA A is diagnosable, there cannot be any cycle with 
faulty states in the region graph of A\ x A2 xDiv(x). Indeed, 

6 A Zeno run is a run with infinitely many discrete steps the duration of 
which is bounded. 



otherwise, by Theorem [T] there would be a non-Zeno word 
in A\ x A2 x Div(x) itselfl Let a(A) denote the size of the 
region graph RG(A\ x A2 xDiv(x)). If A is diagnosable, then 
(Pi): a faulty state in RG(A\ x A 2 xDiv(x)) can be followed 
by at most a(A) (faulty) states. Notice that a faulty state 
cannot be followed by a state (s, r) where r is an unbounded 
region of A, as this would give rise to a non-Zeno word in 
Ai x A2 x Div(x). Hence (P2): all the regions following a 
faulty state in RG(Ai x A2 x Div(x)) are bounded. As the 
amount of time which can elapse within a region is less than 
1 time unijl, this implies that the duration of the longest 
faulty run in A\ x A2 x Div(x) is less than a(A). Actually 
as every other region is a singular region^, it must be less 
than (a(A)/2) + 1, Thus we obtain the following result: 

Theorem 8: A is diagnosable if and only if A is 
(a(A)/2) + 1-diagnosable. 

As diagnosability can be reduced to A-diagnosability for TA: 

Corollary 2: Problem Q] is PSPACE-complete for TA. 
Problem [3] can be solved by a binary search and is also in 
PSPACE for TA. Although Problem □ and Problem are 
PSPACE-complete for timed automata, the price to pay to 
solve Problem [2] as a reachability problem is much higher 
than solving it as a Biichi emptiness problem: indeed the 
size of the region graph of Ai(a(A)) x A2 is the square of 
the size of the region graph of A\ x A2 x Div(x) which is 
already exponential in the size of A. Time-wise this means 
a blow up from 2" to 2 n which is not negligible as in the 
discrete case. 

VI. Conclusion 

The main conclusions we can draw from the previous pre- 
sentation are two-fold. 

From a theoretical viewpoint, it shows that the fault 
diagnosis algorithms for DES and for TA are essentially 
the same: in both cases, diagnosability can be reduced to 
Biichi emptiness; and also to bounded diagnosability. The 
interesting point is that the complexity of the algorithms are 
the same for DES and TA except that for timed automata, 
the complexity measure is space (Table H). 

TABLE I 
Summary of the Results 





A-Diagnosability 


Diagnosability 




Reach Algorithm 


Biichi Algorithm 


Reach Algorithm 


DES 


PTIME 


PTIME 


PTIME 


0{\A\±) 


0{\A\ 2 ) 


0(|A| 4 ) 


TA 


PSPACE-C. 


PSPACE-C. 

0{\A\ 2 ) 


PSPACE-C. 

0(|A| 4 ) 



From a practical viewpoint, it clearly shows that the 
model-checking algorithms and tools developed in the 

7 Note that this is true because we add the automaton Div(x). Otherwise 
an infinite run in the region graph of a TA does not imply a time divergent 
run in the TA A itself. 

8 We assume the constants are integers. 

9 A singular region is a region in which time elapsing is not possible 
e.g., defined by x = A y > 1. 



model-checking/verification community can be used to solve 
the diagnosability problems; these tools usually have a very 
expressive specification language (e.g., Promela/Spin [16], 
UPPAAL [17] or KRONOS [18]) and very efficient data 
structures/implementations (e.g., [13] or [19]). 

We can also use the results in Table |T] to guide our choice 
of algorithms for checking diagnosability. Let Reach denote 
the reachability algorithm for checking A-diagnosability and 
Buchi denote the Biichi emptiness algorithm for checking 
diagnosability: 

• time-wise, solving the diagnosability problem for a 
finite automaton using Reach is a bit more expensive 
than using Buchi, but the difference is not drastic; 

• for a timed automaton A it is totally different: space- 
wise the amount of space required by Reach is the 
square of the amount of space required by Buchi. 
Time-wise this means a worst case blow up from 
2 1" 4 1 to 2^1 . It is thus clear that one should use the 
Buchi emptiness algorithm in this case. Checking Biichi 
emptiness for TA is efficiently implemented in a ver- 
sion of KRONOS (Profounder) [20] and in UPPAAL- 
TiGA [21], the game version of UPPAAL [22]. 

The previous results show that model-checking tools (both 
for finite and timed automata) are suitable to solve the 
diagnosis problems, and provide expressive specification 
languages and efficient algorithms and tools. 
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